A Formal Enforcement Framework for Role-Based Access Control Using Aspect-Oriented Programming

  • Jaime Pavlich-Mariscal
  • Laurent Michel
  • Steven Demurjian
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3713)


Many of today’s software applications require a high-level of security, defined by a detailed policy and attained via mechanisms such as role-based access control (RBAC), mandatory access control, digital signatures, etc. The integration of the design/implementation processes of access-control policies with runtime enforcement mechanisms is crucial to achieve an acceptable level of security for a software application. Our prior research focused on formalizing the concept of a role slice, which is a unified modeling language (UML) artifact that captures RBAC security requirements by defining permissions in the form of allowable or prohibited methods, and by specifying roles as specialized class diagrams that contain those methods. This paper augments this effort by introducing a formal framework for the security of software applications that supports the automatic translation of a role-slice access-control policy (RBAC requirements) into aspect-oriented programming (AOP) enforcement code that is seamlessly integrated with the application. The formal framework provides the necessary underpinnings to automate the integration of security policies into software. A prototyping effort based on Borland’s UML tool Together Control Center for defining role-slice diagrams and the associated AOP code generator is under development.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bell, D., LaPadula, L.: Secure computer systems: Mathematical foundations model. Technical report, Mitre Corporation (1975)Google Scholar
  2. 2.
    Biba, K.: Integrity considerations for secure computer systems. Technical report, Mitre Corporation (1977)Google Scholar
  3. 3.
    DoD: Trusted Computer System Evaluation Criteria. 5200.28-STD. DoD (1985)Google Scholar
  4. 4.
    Ting, T.C.: A user-role based data security approach. In: Landwehr, C. (ed.) Database Security: Status and Prospects (1988)Google Scholar
  5. 5.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29, 38–47 (1996)Google Scholar
  6. 6.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4, 224–274 (2001)CrossRefGoogle Scholar
  7. 7.
    Doan, T., Demurjian, S., Ting, T., Phillips, C.: RBAC/MAC security for UML. In: Farkas, C., Samarati, P. (eds.) Research Directions in Data and Applications Security XVIII (2004)Google Scholar
  8. 8.
    Doan, T., Demurjian, S., Ting, T., Ketterl, A.: MAC and UML for secure software design. In: Proc. of 2nd ACM Wksp. on Formal Methods in Security Engineering, Washington D.C. (2004)Google Scholar
  9. 9.
    Doan, T., Demurjian, S., Ammar, R., Ting, T.: UML design with security integration as a first class citizen. In: Proc. of 3rd Intl. Conf. on Computer Science, Software Engineering, Information Technology, e-Business, and Applications (CSITeA 2004), Cairo (2004)Google Scholar
  10. 10.
    Pavlich-Mariscal, J.A., Doan, T., Michel, L., Demurjian, S.A., Ting, T.C.: Role slices: A notation for rbac permission assignment and enforcement. In: Proceedings of 19th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (2005)Google Scholar
  11. 11.
    Clarke, S.: Composition of object-oriented software design models. PhD thesis, Dublin City University (2001)Google Scholar
  12. 12.
    Plotkin, G.: A Structural Approach to Operational Semantics. Technical Report DAIMI FN-19, CS Department, University of Aarhus (1981)Google Scholar
  13. 13.
    Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)Google Scholar
  14. 14.
    Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role-based access control: Towards a unified standard, pp. 47–64 (2000)Google Scholar
  15. 15.
    Demurjian, S.A., Ting, T.C.: Towards a definitive paradigm for security in objectoriented systems and applications. Journal of Computer Security 5 (1997)Google Scholar
  16. 16.
    Phillips, C., Demurjian, S., Ting, T.: Security assurance for an rbac/mac security model. In: Proc. of 2003 IEEE Info. Assurance Workshop, West Point, NY (2003)Google Scholar
  17. 17.
    Phillips, C., Demurjian, S., Ting, T.C.: Safety and liveness for an rbac/mac security model. In: di Vimercati, S., Ray, I. (eds.) Database and Applications Security XVII: Status and Prospects (2004)Google Scholar
  18. 18.
  19. 19.
    Song, E., Reddy, R., France, R., Ray, I., Georg, G., Alexander, R.: Verifiable composition of access control features and applications. In: Proceedings of 10th ACM Symposium on Access Control Models and Technologies, SACMAT 2005 (2005)Google Scholar
  20. 20.
    Win, B.D., Vanhaute, B., Decker, B.D.: Security through aspect-oriented programming. In: Proceedings of the IFIP TC11 WG11.4 First Annual Working Conference on Network Security, pp. 125–138. Kluwer, Dordrecht (2001)Google Scholar
  21. 21.
    Wand, M., Kiczales, G., Dutchyn, C.: A semantics for advice and dynamic join points in aspect-oriented programming. In: Leavens, G.T., Cytron, R. (eds.) FOAL 2002 Proceedings (2002)Google Scholar
  22. 22.
    Epstein, P., Sandhu, R.: Towards a uml based approach to role engineering. In: Proceedings of the fourth ACM workshop on Role-based access control, pp. 135–143 (1999)Google Scholar
  23. 23.
    Basin, D., Doser, J., Lodderstedt, T.: Model driven security, Engineering Theories of Software Intensive Systems (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Jaime Pavlich-Mariscal
    • 1
  • Laurent Michel
    • 1
  • Steven Demurjian
    • 1
  1. 1.Department of Computer Science & EngineeringThe University of Connecticut, Unit-2155Storrs

Personalised recommendations